The unlawful sharing by Canada’s electronic spy agency of metadata involving Canadians’ communications went on for years before the practice was suspended in 2014, parliamentarians learned Monday.

The disclosure by Jean-Pierre Plouffe, head of the small, independent agency that monitors the legality of Communications Security Establishment (CSE) operations, means vast amounts of unprotected data were shared with Canada’s “Five Eyes” intelligence partners in the United States, Britain, Australia and New Zealand.

Plouffe, testifying before the Senate’s national security committee, was asked by Senate Opposition Leader Claude Carignan how many Canadians were affected by the privacy breach.

“Given the number of years which this happened, and given the fact this is a systemic issue, it was difficult to establish the volume and the number of people affected,” replied Plouffe.

“Hundreds of thousands?” asked Carignan.

“It is impossible to know the exact figure,” said Plouffe.

Metadata is information used by computer systems to identify, describe, manage or route communications across networks. It can include Internet protocol addresses, phone numbers and the time of a transmission or the location of a device. The data is vital to the CSE’s collection of foreign electronic signals to detect and defend against cyber threats to Canadian networks and terrorist threats to national security.

While metadata does not reveal the content of the communications, it can expose information about the user. CSE computer software is supposed to “minimize” such information — removing potentially revealing details — before it is shared with foreign partners. Instead, reams of unminimized metadata flowed to a U.S.-based Five Eyes metadata sharing point for years.

The spy agency first discovered the problem in late 2013 and suspended the practice in early 2014 until a technical fix could be found. It has yet to resume the metadata sharing, Plouffe said Monday.

The CSE notified Plouffe’s Office of the Communications Security Establishment Commissioner soon after discovering the problem. Plouffe went public in his annual report, released in January, and sanctioned the agency for breaking the law — the first such rebuke in the agency’s long history.

Speaking with reporters Monday, Plouffe said the problem was, “not accidental” but rather caused by the CSE’s “lack of due-diligence.”

He said he is confident any personal information about Canadians contained in the metadata was caught and filtered out by a Five Eyes policy to protect such information when inadvertently collected and shared by other partners.

The CSE issued a statement Monday in response to Plouffe’s remarks, saying, “the metadata shared does not contain enough information or context to identify specific individuals.

“In light of this, and coupled with additional safeguards applied by CSE and its Five Eyes allies to protect the privacy of our nationals, the privacy impact is assessed as low.”